The National Security Agency (NSA), Federal Bureau of Investigation (FBI), and co-authoring agencies warn that Russian Foreign Intelligence Service (SVR) cyber actors are exploiting a publicly known vulnerability to compromise victims globally, including in the United States and in allied countries. To raise awareness and help organizations identify, protect, and mitigate this malicious activity, the authoring agencies jointly released the Cybersecurity Advisory (CSA), “Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally,” on December 13.
The CSA details the tactics, techniques, and procedures (TTPs) employed by the SVR actors, technical details of their operation, indicators of compromise (IOCs), and mitigation recommendations for network defenders.
“Russian cyber actors continue taking advantage of known vulnerabilities for intelligence collection,” said Rob Joyce, Director of NSA’s Cybersecurity Directorate. “It is critical to ensure systems are patched quickly, and to implement the mitigations and use the IOCs listed in this report to hunt for adversary persistent access.”
The U.S. Cybersecurity & Infrastructure Security Agency (CISA), the Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) collaborated with NSA and the FBI to assess the SVR cyber actors’ recent malicious activities.
The SVR cyber actors, who are also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, have been targeting Internet-connected JetBrains TeamCity servers globally as early as September 2023. Victims identified in the report include companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games, as well as hosting companies, tool manufacturers, small and large IT companies, and an energy trade association.
The CSA notes that SVR actors exploit a known vulnerability, CVE-2023-42793, to gain initial access to the TeamCity servers and then perform malicious activities, such as escalating privileges, moving laterally, deploying additional backdoors, and taking other steps to ensure persistent, long-term access to the compromised network environments.
According to the CSA, software developers use TeamCity servers to manage and automate software development, compilation, testing, and releasing. Access to a TeamCity server can provide malicious actors with access to source code, signing certificates, and the ability to subvert software compilation and deployment processes and conduct malicious supply chain operations.
The agencies recommend organizations implement the mitigations in the advisory to improve their cybersecurity posture based on the SVR cyber actors’ malicious activity. Mitigations listed in the CSA include implementing a patch issued by JetBrains TeamCity, deploying host-based and endpoint protection systems, using multi-factor authentication, and auditing log files.
Read the full report here.
Source: NSA
Stay in the know with breaking news from across the IC and IC contracting landscape by becoming a paid subscriber to IC News. Your support makes our work possible.
By Loren Blinde
December 15, 2023
